Well I think more than Spring MVC, your question is more about program design. The requirements that are indicated in your question have nothing to do with sessions, even though of course Spring MVC handles sessions for you. Each user will have their own session, hence, it's irrelevant to the application requirement.
My advice, is for you to do a quick tutorial on UML and how to model business applications and look at other similar examples on the web, where a common resource is shared with many other users with permissions, etc.
I do not think that Spring security out-of-the-box can help you, as the default Spring security is based on access and authentication of resources/methods. Having said that, may be this approach can work with default Spring Security: you have your design page duplicated twice on 2 difference views (web pages). One view will have static design and the other will be changeable design. Hence, if a person is logged on with the correct authority, then he/she can view the changeable page, otherwise he will be redirected to the static page.
Another approach would be to do it yourself once you are familiar with UML.
I hope the above helps you.